Why ‘keep it simple, stupid’ always rings true in security

7 Oct 2022

Pascal Fortier-Beaulieu. Image: Wallix

Wallix’s CISO shares his thoughts on the growth of tech regulation and explains that going back to basics is worthwhile in security.

Pascal Fortier-Beaulieu is the chief information security officer at European cybersecurity company Wallix, having worked in the sector for more than 15 years. He comes from an engineering background and his experience spans the retail, energy, banking, pharma and transport industries, focusing on technology stacks in infrastructure.

As Wallix’s CISO, his main responsibilities are to ensure that information risks are identified, properly assessed and addressed at the right level.

“Fundamentally, CISOs need to have the ability to assess what risks are critical, what threats the organisation should fight and what risks need to be accepted – managing IT risk is a fundamental component of an IT strategy,” he told SiliconRepublic.com.

“The type of risks can be completely heterogeneous – it’s important to understand that risks are part of life and many often come with opportunities. Ultimately, all CISOs need to understand their threats to address them properly.”

‘It’s important to remember that basic is not a negative thing [in security]’

What are some of the biggest challenges you’re facing in the current IT landscape?

One of the biggest challenges in the current IT landscape is being able to deliver consistency in a space that has a lot of noise and forces at play. This is a huge challenge, and of course there are plenty of technical topics and emerging technologies that need to be considered by security professionals – not to mention avoiding future crises and learning from recent and notorious disruptions like Log4Shell and WannaCry.

What’s more, security leaders need to consider increased innovation, ensure compliance and understand how things like compliance and security can impact on business agility.

For CISOs to operate at their best capacity, they need to action high-level and operational tasks all day long, and the biggest challenge of the CISO role is to combine all their tasks to achieve consistent objectives that are shared with the rest of the executive board.

Not everyone at C-level has a technical background and CISOs need to translate the different security issues and risks that are currently facing the business.

What are your thoughts on digital transformation?

With digitalisation, more tools and processes are becoming embedded in business processes across all industries and because of this, additional risks and potential security gaps are created. These risks won’t disappear – digitalisation is a goal for almost all organisations and many, if not all, require support on their transformation journey.

Multiple challenges need to be addressed, starting with multi-technology use including the uptake of operational technology (OT), cloud computing and SaaS applications to name a few. Then, risk must be mitigated and emerging threats facing organisations need to be identified before a potential disaster strikes.

It’s also difficult for companies to manage all their technologies and processes all at once, however there are solutions available to manage things like user access while securing endpoints efficiently, without hindering user experiences.

How can sustainability be addressed from an IT perspective?

We have a lot of trouble with energy use in technology. It’s a huge cost for customers and end-users alike, and for cloud providers it’s a big, costly issue.

Energy usage has pushed executives to rationalise the IT resources we use, and one trend I can see emerging are businesses taking the opportunity to integrate reduced electricity consumption in their technological design.

It’s a strong opportunity to become more sustainable and conscious of how we use electricity. Look at OT for example. OT is being used everywhere and measuring energy usage is a strong opportunity to optimise electricity costs. This is an example of digitalisation being beneficial from a sustainable point of view.

What big tech trends do you believe are changing the world?

The trend I’m excited to see develop is businesses started to become more focused on risk and less about executing tasks. Tech is becoming increasingly important in our daily lives and so are security issues.

There has been a significant increase of regulations being set up including compliance, and this has resulted in some constraints in tech. I think we need to change our mindset, focusing more on purpose and less on strict and basic alignment with regulatory standards and norms.

Of course, it’s good to have regulation. When monitoring the safety of transport, like aeroplanes and cars, regulation is needed to make sure that the vehicle doesn’t crash.

However, regulation presents the idea of what best practices are and these practices can become commonplace. We need to preserve the identity and purpose of different companies.

A big mistake for organisations would be to let compliance define and drive company strategy. Compliance must be addressed, but it cannot be the purpose.

How can we address the security challenges currently facing your industry?

The world is more competitive than ever and now the factor of success is agility. You need maturity to be agile, and it’s not necessarily being fast at executing or wholly focused on the technology.

The more heterogenous technologies used, the more efficient organisations need to be when building the technology and operating it. It requires governance, a mobilised and trained team of professionals, and carefully selected tooling. Companies need to focus on their purpose and specific needs, not just the technology that’s required.

Organisations must also be natural about the way they work so they can accelerate efficiently, going back to basics. Whenever I’m feeling lost, I always go back to the basics, looking at basic security methods and solutions like access controls, configuration management, privilege access management and so on.

‘Keep it simple, stupid’ always rings true in security and, in fact, this is a mantra I live by in the daily life. Whenever I face a challenge, I need to organise things clearly starting with the basics. Once clear with the basics, everything else is not as difficult because it’s likely that the problem has already been solved.

To me, it’s impossible for an organisation to build good security without being able to manage their accesses, privileges and credentials in endpoints, the data centre or the cloud environment.

It’s important to remember that basic is not a negative thing. It’s a first step – a strong first step is good for the rest.

10 things you need to know direct to your inbox every weekday. Sign up for the Daily Brief, Silicon Republic’s digest of essential sci-tech news.